Skillv1.0.0

ClawScan security

Conversation Archiver · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 28, 2026, 10:17 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (writing archive files) is plausible, but the runtime instructions are vague about external posting and task updates and don't declare the credentials or scope needed, which creates risk and inconsistency.
Guidance: This skill is plausible for archiving, but it leaves important details unspecified. Before installing or using it, confirm: (1) exactly where the agent will write files and restrict its filesystem permissions to that directory; (2) how Discord posting is authenticated—prefer a single-use webhook URL stored explicitly (e.g., ARCHIVE_DISCORD_WEBHOOK) rather than allowing the agent to access arbitrary tokens; (3) what 'mark task complete' means (which task system or file) and supply only the minimal API access required; (4) require the agent to ask for explicit user confirmation before posting any archive text outside the workspace; and (5) review archived content for sensitive data before any external posting. If possible, update SKILL.md/metadata to declare required env vars (Discord webhook or bot token, task-system creds) and to narrow the described scope.

Review Dimensions

Purpose & Capability: noteName/description match the instructions to write archive files and update memory/tasks. However, the SKILL.md mentions optionally posting to Discord and marking tracked tasks complete without specifying how (webhook vs bot token, which task system), so required capabilities for those features are not declared.
Instruction Scope: concernInstructions explicitly direct the agent to write files under archive/ and to append to memory/YYYY-MM-DD.md and to mark tasks complete. They also permit posting summaries to a Discord channel and linking full files. That allows exfiltration of full conversation contents unless posting behavior and auth are constrained. The instructions are vague about what 'mark it complete' means (which external systems, APIs, or files), giving the agent broad discretion.
Install Mechanism: okInstruction-only skill with no install spec or downloaded code; nothing will be written to disk by an installer. This minimizes supply-chain risk.
Credentials: concernThe skill requests no environment variables or credentials in metadata, but runtime behavior (posting to Discord, updating external task trackers) will require credentials (webhook URL, bot token, API keys). The absence of declared credentials is an inconsistency and could lead the agent to reuse unrelated tokens or prompt for/seek secrets at runtime.
Persistence & Privilege: okalways:false and no install means the skill does not demand permanent presence or elevated platform privileges. It does require write access to the workspace (archive/ and memory/ files), which is normal but should be limited to intended paths.